if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
$check_user=mysqli_query($db,$query);
if (mysqli_num_rows($check_user)==1){
$approved_by_admin = mysqli_fetch_assoc($check_user);
if($approved_by_admin ["status"] =='approved'){
echo '<script type = "text/javascript">';
echo 'alert("Login Success!")';
echo 'window.location.href = "index.php"';
echo '</script>';
}
elseif($approved_by_admin ["status"] =='pending'){
echo '<script type = "text/javascript">';
echo 'alert("Your account is still pending for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}else{
echo "Wrong Combination";
}
}
}
My query for approve and pending is not working.
If i remove query for admin, employee and user it will work but this will not work the echo 'window.location.href = "index.php"';
Basically my code is not working since it will just continue to login even if the user's status is pending and not approved by the admin.
The 2nd part of if (isset($_POST['login_btn'])) { for pending and approve is not working
You need to integrate the test for approval into the existing login process. It makes no sense to have two separate processe sets of code, because
a) it's inefficient to query the same data twice from the database, and
b) the first part of the code will have already set up the redirects before you even start checking with the second part.
This will make more sense, I think:
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
exit();
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
exit();
}else{
if($logged_in_user["status"] =='approved'){
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
exit();
}
else {
echo '<script type="text/javascript">';
echo 'alert("Your account is still waiting for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
P.S. You should always exit(); immediately after you set a Location header, then there is no danger of protected content being accidentally leaked from later in the script.
P.P.S. Please don't store passwords using the obsolete, insecure md5 algorithm - that is a security risk. Learn about PHP's built-in, up-to-date, secure password hashing and verification functions instead.
P.P.P.S. While mysqli_real_escape_string will protect against most SQL injections, it's not foolproof. Prepared statements and parameters are a more secure and up-to-date way to write queries safely. See How can I prevent SQL injection in PHP for a thorough guide.
Related
This question already has answers here:
How do I get PHP errors to display?
(27 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 3 years ago.
Hi am trying to display the name of user that just logged in, Now when i sign up it works but when i login it does not work, please help.
This it the php code at the top of the index.php
<?php
session_start();
if (!isset($_SESSION['username'])) {
$_SESSION['msg'] = "You must log in first";
header('location: login.php');
}
if (isset($_GET['logout'])) {
session_destroy();
unset($_SESSION['username']);
header("location: login.php");
}
?>
This is the code that was meant to display the name that is in the index.php
<?php echo ucfirst($_SESSION['username']); ?>
This is my server.php
<?php
session_start();
// initializing variables
$username = "";
$email = "";
$errors = array();
// connect to the database
$db = mysqli_connect('localhost', 'root', '', 'register');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled ...
// by adding (array_push()) corresponding error unto $errors array
if (empty($username)) { array_push($errors, "Username is required"); }
if (empty($email)) { array_push($errors, "Email is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// first check the database to make sure
// a user does not already exist with the same username and/or email
$user_check_query = "SELECT * FROM user WHERE username='$username' OR email='$email' LIMIT 1";
$result = mysqli_query($db, $user_check_query);
$user = mysqli_fetch_assoc($result);
if ($user) { // if user exists
if ($user['username'] === $username) {
array_push($errors, "Username already exists");
}
if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}
// Finally, register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO user (username, email, password)
VALUES('$username', '$email', '$password')";
mysqli_query($db, $query);
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}
}
// LOGIN USER
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM user WHERE email='$email' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
But is like i have discovered that it is because there is no input code that has name="username" in my login.php
yeah, Remember the user is logging in with email and password not username and password, thank you.
This is what your code needs. You will have to enable sessions if you have not done so.
//enable sessions if you have not done so
//session_start();
//$_SESSION['username'] = 'nancy';
$_SESSION['username'] = $results['username'];
You can then echo it as follows
<?php
//enable sessions if you have not done so
//session_start();
echo htmlentities($_SESSION['username']);
?>
hence your code will look like
// LOGIN USER
if (isset($_POST['login_user'])) {
$email = mysqli_real_escape_string($db, $_POST['email']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($email)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM user WHERE email='$email' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
//session_start();
// $_SESSION['username'] = 'nancy';
$_SESSION['username'] = $results['username'];
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
Please am sure that you are not using this code in production. Php has a native way of hashing password and you are using deprecated md5.
You can refer on my previous answers on how to write login based on php way.
source As for sql injection, I will suggest that you used prepared statements as its more safer
I have problem with PHP $_SESSION.
I see only "username" in index page after successfull login/register.
When I change $_SESSION['username'] to $_SESSION['password'] is also displayed.
I need to display "points" value, which is not defined by user during login/register (5 points is auto added to user after register)
How to echo values from database, which are not inserted by users?
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Please write username");
}
if (empty($password)) {
array_push($errors, "Please write password");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "Logged in ";
header('location: index.php');
}else {
array_push($errors, "Something went wrong");
}
}
}```
Try with :
...
if (mysqli_num_rows($results) == 1) {
$row=mysqli_fetch_assoc($result);
//check the data you get from the BD
var_dump($row);die;
// you'll get an array with you data where you'll find the points
// then just assign it to a session
$_SESSION['user_points'] = $row['user_points']; // for example
$_SESSION['username'] = $username;
$_SESSION['success'] = "Logged in ";
header('location: index.php');
}
...
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM register WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
}
$qry = "SELECT * from register";
$result = mysqli_query($qry);
$row = mysqli_fetch_array($result);
$id = $row[0];
if (mysqli_num_rows($results) == 1) {
//here i want to change session from username to id
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
?>
This code is also working but i want to replace the username session to id session. Please help me how i get replace it by id.
Here i want to set session as id from username. so please help me how i have to get the solution of my code.
Just copy this Code :
replace your code
$_SESSION['username'] = $username;
to
$_SESSION['id'] = $username;
look like :
if (mysqli_num_rows($results) == 1) {
//here i want to change session from username to id
$_SESSION['id'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
You can get the value like this, because we are get result into an array
$row = mysqli_fetch_array($result);
$id = $row[0];
Correct method is below
// LOGIN USER
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM register WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
}
$qry = "SELECT * from register";
$result = mysqli_query($qry);
$row = mysqli_fetch_array($result);
// $id = $row[0];
$id = $row['id']; //this is the primary key
if (mysqli_num_rows($results) == 1) {
$_SESSION['id'] = $id;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
?>
Just set the $_SESSION['id'] = $id.
I have a login page where user insert their username and password.
I create a session which will display the username of the user at the main page using below code.
However, instead of the username, I want to display the user's full name. How do I display the full name using $_SESSION['username']?
My table name is users and consist of column fullname, username and password.
if (isset($_POST['login_user'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
Use db query like mysqli_fetch_assoc to get data from db
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$row = mysqli_fetch_assoc($results );
$_SESSION['fullname'] = $row['fullname'];
$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
for more : https://www.w3schools.com/php/func_mysqli_fetch_row.asp
Below is the code I'm running. I'm trying to get it so my CMS index.php will deny access if the users user_level is under 1. I'm logging in with a test account setup with the user_level at 1 but I'm not having any luck.
Code on top of my index.html:
<?php
if($_SESSION['user_level'] == "1"){
header("Location: index.php");
exit;
}else{ header("Location: login.php");
exit;
}
So if user_level is 1 or higher, proceed to index.html (which is my CPanel index, not my actual sites index.
If the user_level is below 1, redirect back to login.
Here's my server.php code where all the magic happens after you click login.
<?php
session_start();
// variable declaration
$fullname = "";
$useremail = "";
$age = "";
$igname = "";
$profileurl = "";
$errors = array();
// connect to database
$db = mysqli_connect('****', '****', '****',
'****');
// REGISTER USER
if (isset($_POST['reg_user'])) {
// receive all input values from the form
$fullname = mysqli_real_escape_string($db, $_POST['fullname']);
$useremail = mysqli_real_escape_string($db, $_POST['useremail']);
$age = mysqli_real_escape_string($db, $_POST['age']);
$igname = mysqli_real_escape_string($db, $_POST['igname']);
$profileurl = mysqli_real_escape_string($db, $_POST['profileurl']);
$password_1 = mysqli_real_escape_string($db, $_POST['password_1']);
$password_2 = mysqli_real_escape_string($db, $_POST['password_2']);
// form validation: ensure that the form is correctly filled
if (empty($fullname)) { array_push($errors, "Full name is required"); }
if (empty($useremail)) { array_push($errors, "Email is required"); }
if (empty($age)) { array_push($errors, "Age is required"); }
if (empty($igname)) { array_push($errors, "In game name is required"); }
if (empty($profileurl)) { array_push($errors, "Truckers-MP Profile URL is required"); }
if (empty($password_1)) { array_push($errors, "Password is required"); }
if ($password_1 != $password_2) {
array_push($errors, "The two passwords do not match");
}
// register user if there are no errors in the form
if (count($errors) == 0) {
$password = md5($password_1);//encrypt the password before saving in the database
$query = "INSERT INTO users (fullname, email, age, igname, profileurl, password)
VALUES('$fullname', '$useremail', '$age', '$igname', '$profileurl', '$password')";
mysqli_query($db, $query);
$_SESSION['useremail'] = $useremail;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
echo '<script language="javascript">';
echo 'alert("Once an admin reviews your account, they will send you an email alerting you that you can login. Please be patient.")';
echo '</script>';
}
}
// ...
// LOGIN USER
if (isset($_POST['login_user'])) {
$useremail = mysqli_real_escape_string($db, $_POST['useremail']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($useremail)) {
array_push($errors, "Email is required");
}
if (empty($password)) {
array_push($errors, "Password is required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM users WHERE email='$useremail' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {
$_SESSION['user_level'] = $row['user_level'];
$_SESSION['useremail'] = $useremail;
$_SESSION['success'] = "You are now logged in";
header('location: index.php');
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
?>
I'm sure I'm not doing it right but at least I can say I damn well tried. Any help would be greatly apprechiated.
There is undefined variable $row. Define it first (fetch_assoc()), then you can assign it into session.
if (mysqli_num_rows($results) == 1) {
$row = mysqli_fetch_assoc($results);
$_SESSION['user_level'] = $row['user_level'];
$_SESSION['useremail'] = $useremail;
...
}
mysqli_num_rows returns the number of rows in a result set. Not the indexes! You can keep this code and assign this way -> $_SESSION['user_level'] = $row[some index]; (if your table is like id,user,pass,mail' some index will be 1.
If you want to have a text index, just look for the mysqli_fetch_array